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Abstract 

Let C be an arbitrary smooth algebraic curve of genus g over a large 
finite field K. We revisit fast addition algorithms in the Jacobian of C 
due to Khuri-Makdisi ( math. NT/0409209 , to appear in Mathematics of 
Computation). The algorithms, which reduce to linear algebra in vector 
spaces of dimension O(g) once |K| S> g and which asymptotically require 
0(g 2 ' 376 ) field operations using fast linear algebra, are shown to perform 
efficiently even for certain low genus curves. Specifically, we provide ex- 
plicit formulae for performing the group law on Jacobians of 6*3,4 curves 
of genus 3. We show that, typically, the addition of two distinct elements 
in the Jacobian of a 6*3,4 curve requires 117 multiplications and 2 inver- 
sions in K, and an element can be doubled using 129 multiplications and 
2 inversions in K. This represents an improvement of approximately 20% 
over previous methods. 

Remark (added August 22, 2007): A revised version of this article has 
been published as LMS J. Comput. Math. 10 (2007) 307-328 with an appendix 
of sample Magma code of our algorithms. The URL for the published version 
is: 

http : //www . 1ms . ac . uk/ j cm/10/lms2006-049/ 
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1 Introduction and background 



This article presents the fastest algorithms to date for arithmetic in the Jaco- 
bians of certain nonhyperelliptic genus 3 curves — specifically, 6*3,4 curves over 
a very large finite field K that is not of characteristic 2 or 3. We attain this by 
adapting the ideas from the asymptotically fastest algorithms known for general 
curves of large genus [51 [TU] . Those algorithms boil down to linear algebra on 
matrices of size 0(g) x 0(g), where g is the genus of the curve (more accurately, 
0(g(l + \ogg/ log |K|)) x O(g), but recall that |K| is large), and thus have a 
complexity of 0(g 2 ) using the current record for fast linear algebra. Our 
results in this article illustrate how the asymptotic improvements introduced 
in |10j , coupled with further new techniques, actually result in a significant 
speedup even for low genus curves that are slightly "special" for their genus. 
However, fairly special curves, such as hyperelliptic curves for example, are still 
probably better implemented using Cantor's algorithm or the general methods 
of [S], which have complexity 0(g 2 ) for curves of bounded gonality, but which 
have complexity 0(g 4 ) for "most" curves of genus g. 

Previous work on Jacobian group arithmetic for nonhyperelliptic genus 3 
curves includes [2j [7], building on earlier work for curves of the form y 3 — 
x 3 + ax + (3, [3l [6]. The papers [2 [7] give slower algorithms for C34 curves than 
ours, under the same hypotheses on IK. This article follows the lead introduced 
by [3] , and adopted by [2J El [7] , in that we present algorithms that are designed 
to work only for "typical", i.e., sufficiently generic, elements of the Jacobian of 
C . Here, non-typical elements belong to a proper subvariety of the Jacobian, 
and so occur with frequency 0(1/ |K|), which means that they do not arise in 
practice. As in those previous articles, we also measure the complexity of our 
algorithms by counting the number of multiplications and inversions that need 
to be performed in K. This is reasonable, because in practical implementations 
of finite field arithmetic, addition and subtraction are much faster than multi- 
plication or inversion, and inversion can take between 3 and 10 times as long as 
multiplication, as pointed out in [2]. Our approach requires 117 multiplications 
and 2 inversions in K to add a typical pair of distinct elements of the Jaco- 
bian; we abbreviate this complexity as 117M, 21. In contrast, the complexity of 
adding a typical pair of distinct elements in [7] is 145M, 21, while the complex- 
ity in [2] is 150M, 21. As for doubling a typical element of the Jacobian, our 
approach requires 129Af, 21, as opposed to the doubling algorithm in [7], which 
needs 167 'M, 21, and to that in [2J, which needs 17 'AM, 21. Our algorithms and 
those of [7J actually compute first the negative of a sum of two elements of the 
Jacobian (respectively —2 times an element during doubling), and then invert 
the final result. The final inversion costs 7M in our approach, and 16M in 7 
(as gathered from an inspection of their computer code). This final inversion is 
not needed if one wishes to compute a large multiple of an element of the Jaco- 
bian by the usual "double and add" method; one can use instead the approach 
in [1], which uses the "addflip" primitive 1— > — (£ + £') (where £ may equal 

for multiplication by —2) instead of the usual addition and doubling. Due 
to recent progress in index calculus methods for discrete logarithms (see [4] , [5] , 
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and their references), it appears unlikely that the discrete logarithm problem in 
Jacobians of C^^ curves is worth using as a cryptographic primitive; the meth- 
ods of this paper might still be useful for cover attacks on discrete logarithms 
of other curves. 

For the general problem of computing effectively in Jacobians, our results 
in this article confirm the advantages of using the approach of [TO] ■ Even 
though we write down polynomials in this article, our algorithms work mainly 
via linear algebra in spaces of sections of line bundles, which we discuss here in 
the language of Riemann-Roch spaces C(D) associated to appropriate divisors 
on C . We perform almost no polynomial arithmetic, and instead use linear 
algebra on small matrices (essentially, 3x5 and 8 x 10, both explicitly and 
implicitly) which are often fairly structured. For example, our matrix may have 
two blocks that are almost in echelon form; hence an intelligent approach to 
Gaussian elimination produces efficient algorithms. We also optimise by hand 
any parts of the calculations that yield easily to an ad hoc trick or to more 
systematic approaches. We hope that some of these methods can be useful 
elsewhere. 

The second named author (KKM) would like to thank K. and C. Adal for 
providing computer access and an agreeable work environment during the sum- 
mer of 2006, when the author's usual office was inaccessible. 

2 Overview of our algorithms 

Consider a C3.4 curve C of genus 3 over a large finite field K with q = p n 
elements. We assume that p, the characteristic of K, is neither 2 nor 3 (similarly 
to [2 [7]; those articles also exclude characteristic 5). Let Poo G C denote the 
distinguished point at infinity and D a K-rational divisor on C. Write C{D) for 
the Riemann-Roch space of rational functions on G with prescribed zeros and 
poles at D: 

C(D) = {F G K(C) I (F) > —D}. 

Write 1Z for the affine coordinate ring of C — {Poo}; hence 1Z — Un>o£(NPoo)- 
By definition of a 63,4 curve, 7Z is generated as a K-algebra by two elements x, 
y whose valuations vp^ are given by 

Vp ao (x) = —3 

w Poo (y) = -4. 

The only relation between x and y is a K-linear dependence f(x,y) = between 
1, x, y, x 2 , xy, y 2 , x 3 , x 2 y, xy 2 , y 3 , x 4 G £(12P tx) ). Thus, the affine coordinate 
ring of C — {Pea} is 7^ = K[x,y]/(f(x,y)). After a change of variables of the 
form 

J x 1— * U\X + u 2 

\ y ^ u 3 y + u 4 x + u 5} ui,...,u 5 el, u x , 1437^0, 
we can assume that the equation of the curve is 

/(x, y) = y 3 - x 4 + p 2 x 2 y + pixy + p y + <?2X 2 + q\x + q Q = 0. (1) 
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We further write W = C(NPoo); it is the subspace of 7Z spanned by the 
monomials 

{x l y j | 3i + 4j < N}, 

subject to the relation ([1]). To obtain a basis of W , we restrict ourselves to 
monomials with exponent pairs with j < 2, or alternatively to pairs 
with i < 3; this takes equation {T]) into account. Note that 

W° = W 1 

= W 2 = K • 1 is 1-dimcnsional 

W 3, = K • 1 + K • x is 2-dimcnsional 

W 4 = W b 

= K-l + K- x + K- yis 3-dimensional 

and for N > 6, W N is (JV - 2)-dimensional. 

Let D be an effective K-rational divisor. Following the approach of [51 [TP], 
we represent D by the space Vt^ defined by 

Wg = CiNP^ — D) C W N 

for some suitable positive integer N. If D is arbitrary of degree d, then we need 
to consider N > d + 6 (here, 6 = 2g for 5 = 3, the genus of the curve, to ensure 
that Wp is base-point free). However, for a typical divisor D, we can take 
N = d + 4 (here, 4 = g + 1). This is a consequence of the following standard 
result from the theory of linear series on curves: 

Proposition 2.1 Let D be a typical effective ^-rational divisor of degree d > 3 
on C. In particular, does not belong to the support of D. Then 



dimW^ = 



if N < d + 2 
N -d-2 if N >d + 2. 



Furthermore, if N > d + 4, then Wjj is base-point free, and there exist two ele- 
ments F G Wp +3 and G £ W^ +4 — W^ +3 that form a basis for the 2-dimensional 
subspace W^ +4 C W$ , with the property that the only common vanishing of F 
and G occurs at D. In other words, 

(F) = -(d + 3)Poo+D + E 

(G) = -(d + ^P^ + D + E', 

where E and E' are disjoint effective divisors. 

Remark 2.2 Since F and G above vanish simultaneously only at D, we see 
that our basis {F, G} for Wf+ 4 is in fact an ideal generating set (an 1GS) for 
D in the terminology of [10] '. Thus, the ideal (F, G) = 1ZF + TZG of the affine 
coordinate ring TZ is the ideal of elements of 1Z (i.e., of regular functions on 
G — {Poo}) vanishing on D. The quotient A = 1Z/(F,G) is a d-dimensional 
¥L-algebra describing the "values" that a polynomial can take at the points of D. 
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This makes sense even if the points of D are not all defined over K, so long as 
the divisor D itself is 'K-rational. Moreover, there is a ¥L-linear map 

W N /Wg A 

that is a bijection for N > d + 2, for typical D with d > 3. 

Remark 2.3 As mentioned above, a "typical" divisor D is one that does not 
belong to a specific proper (that is, at most (d — 1)- dimensional) subvariety of 
the d-dimensional symmetric power Sym d G parametrising the degree d effective 
divisors on C. For very large q = |K|, the probability for a divisor D to be 
non-typical is 0(l/q). For enormous q, we do not expect to ever chance upon a 
non-typical divisor in our calculations. In case we do, it was already remarked 
in [5]/ that we can then use a slower algorithm that works for all divisors. 
For example, we can use the larger space Wp +6 instead ofW^ 4 , and adapt the 
algorithms accordingly. 

We now discuss how we compute with typical elements of the Jacobian J of 
C. An element £ S J(K) can be represented as the divisor class [D — 3Poc] for 
some effective K-rational divisor D with degD = 3. A typical class corresponds 
to a typical divisor D in a unique way. In turn, we represent D by a basis 
{F, G} for the 2-dimensional space Wjj) i.e., by elements F,G C Wjj C TZ = 
K[x, y]/ (f(x, y)). We can choose the basis {F, G} to have the form 

( F = x 2 +ay + bx + c G W%<zW 7 D . . 

\ G = xy + dy + ex + f G W 7 D - W%. ^ > 

Here a / for typical divisors, and, for technical reasons, we also store the 
inverse a -1 along with the coefficients a,b,...,f G K in order to represent 
^[D-3-Poo]. 

Our addition algorithm begins with a typical pair £, £' G J(K) and computes 
their sum £ + Our doubling algorithm corresponds to the special case ^ = 
in which case we compute 2£ = ^ + In both cases, we first compute £" = 
— (£ + ^'), the "addflip" of the two elements in the terminology of [HI HO]- We 
then compute = —£,''■ In practice, most of the use of Jacobian arithmetic 
will be to find a multiple m • £ with m G Z. In that case, we can use the "base 
—2 expansion" of [T] and only find the addflips £" in the intermediate steps 
without any need for further negations. 

We thus start with £ = [D-3Poo] and £' = [D'-SP^], with bases {F, G} for 
anc i G'} for Wp/. In our first phase (Steps 1 and 2 below) we produce 
a basis {F", G"} for where [D + D' + D" -9Poo] = in J(K). Thus F", G" 
represent ^" = [D" — 3Poo] = — (£ + ^'). In our second phase (Step 3 below), 
wc find a basis {F'", G'"} for Wj,„, where [£)" + D'" - 6Pao] = in J(K). At 
this point, F'", G'" represent = [D'" - 3FJ = Along the way, we also 
obtain the inverses (a") -1 and (a'")" 1 of the analogous coefficients in F" and 
F'". Here is a more detailed overview: 



5 



2.1 Step 1 

This step comprises Sections [3H7J of this article. We first determine the space 
W^ +D , along with its subspace Wp +D , . Since D + D' is typical, we have that 
dim Wp , D , — f and dimW^ +D , = 2. Thus, there exists a basis {s,t} for 
W%> +D , of the form 



x 3 + Siy 2 + s 2 xy + s 3 x 2 + s A y + s 5 x + s 6 
Ox 2 y + lx 3 + ... G W 9 D+D , C Wb +D , 
x 2 y + <iy 2 + t 2 xy + t 3 x 2 + t 4 y + t 5 x + t 6 
lx 2 y + 0x 3 + ... G - Wl +D , , 



(3) 



with si, . . . , Sg, ti, . . . , te G K. Our aim is thus to find s and £. Note that the 
principal divisor (s) has the form (s) = D + D' + D" — %Poo for some effective 
K-rational divisor D" of degree 3. Hence, [D + D' + D" - 9Poo] = 0, and 
£" = -(£ + £') as desired. 

Carrying out Step 1 depends on whether D =^ D' (corresponding to addition) 
or D = D' (corresponding to doubling). 



2.1.1 Point addition 

If D ^ D' , then D and D' typically have no point in common, in which case 

We find this intersection by looking for those elements of W}y that map to zero 
in the quotient ring A — TZ/ (F,G) (hence such elements also vanish at D). We 
set up A in Section [31 compute how a basis for W$ maps to A in Section |H 
and find the kernel of the map (W^y — > A) in Sections [S] and [7] 



2.1.2 Point doubling 

If D = D', then we compute as the subspace of elements L G Wjj whose 
differential dL also vanishes at D. This differs from the case of addition above 
only in computing a map {W}^ — > A') : L ^ dL "mod" (F,G), where A' is a 
3-dimensional K-vector space describing the "values" that dL can take at the 
points of D. We describe this in Section [5j the analogue of Section [4] with 
respect to point addition. Thereafter, the remaining calculations in Sections [5] 
and [7] proceed similarly to the case of point addition. 



2.2 Step 2 

This step comprises Sections[5]and|n]below. At this stage, we have a basis {s, t} 
for Wj) +D , as in ([3]), which is typically an IGS for D + D' as in Remark 12.21 
Thus, 

(s) = D + D' + D" - 9Poo, 
(i) = D + D 1 + E"-10P oo , 
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with D" and E" disjoint. We note that sW 8 = W% +D , +D „ as in [9 . Taking a 
basis of monomials for W 8 , we see that the following is a basis for sW 8 : 

{s,xs,ys,x 2 s,xys,y 2 s}. 

We next compute W 7 D ,,- It is the "quotient", as in [TO], of sW 8 — Wp +D , +D „ 
by the IGS {s,t} for D + D': 

W 7 D „ = sW 8 {s, t} 

= {£ e W 7 I s£,U G sW 8 } (4) 
= {£ e W 7 1 tt e sW 8 }. 

Since W 7 has basis {1, x, y, x 2 , xy} and we have a basis for sW 8 , the condition 
tt G sW 8 amounts to finding a linear combination of t, xt, yt, x 2 t, and xyt that 
is also a linear combination of s, a;s, ys, x 2 s, xys, and y 2 s. Equivalently, we 
must determine the intersection of the 5- and 6-dimensional subspaces tW 7 and 
sW 8 inside W 17 . This intersection will have a basis of the form {tF" ,tG"}, 
where {F",G"} are a basis for the space W 7 D ,, of solutions for I in ^ above. 
Note that the intersection appears to take place in the 15-dimensional space W 17 
(where typical 5 and 6-dimensional spaces do not intersect), but actually occurs 
inside the 9-dimensional space W^ +D ,, which contains (in fact, is generated by) 
the two subspaces tW 7 and sW 8 . This reduces the amount of linear algebra 
that we need to perform. We formalise this in the following lemma: 

Lemma 2.4 Let £ G W 7 . Then tt G sW 8 if and only if t£ G sW 8 + W 9 . (This 
is equivalent to saying that tt is congruent to an element of sW 8 in the quotient 
space W 17 /W 9 .) 

Proof: 

Trivially, tt G sW 8 implies that tt G sW^ + W^ 9 . To prove the converse, suppose 
that tt = st'+t", with 1' G W 8 and t" G W 9 . Note that tt, st' G W% +D ,. Then, 
since t" G W 9 , we obtain 

t" =tt- st' G W 9 D+D , = K • s, 

and so we can write 



tt — st = as, a G 



from which we have 



tt= {£' + a)s G sW 8 , 

as required. Note incidentally that sW 8 n W 9 = Ks, so dim(sM /r8 + W 9 ) — 
6 + 7-1 = 12. □ 



We conclude from the above discussion that we can obtain F",G" G W 7 D ,, as 
follows: 

1. Denote F" or G" by t = d 1 +d 2 x+d 3 y+d 4 x 2 +d 5 xy. Here {d 4 , d 5 } = {0, 1} 
in some order, and we must solve for d\, cfe, <fe such that tt G sW 8 + W 9 . 
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2. Find C\, . . . , C5, the images of t, xt, yt, x 2 t, xyt in the 3-dimensional quo- 
tient space W 17 /(sW 8 + W 9 ). (One can moreover see from Section [9] that 
a basis for this quotient space is given by the images of x 2 y,xy 2 , and 
x 2 y 2 .) 

3. The three resulting equations d\C\ + . . . + CL5C5 = allow us (in the 
typical case) to express c£i,e?2,rf3 in terms of di,d§. We thus get a basis 
{{d\V, a", 1, 0), (/", e", d", 0, 1)} for the space {(d u . . . , tfe) | d{Cl+.. .+ 
dsCs = 0}. This corresponds to elements F" = c" + b"x + a"y + x 2 and 
G" = f" + e"x + d"y + xy that form a basis for Wjj,, . The structure of 
the system of linear equations allows us to find (a") -1 along the way at 
minimal extra cost. 



2.3 Step 3 

This step comprises Section [TO] At this point we have obtained our IGS 
{F",G"} for the divisor D", where £" = [D" - 3Poo] = + We also 
know (a") -1 . We now discuss how to negate this to obtain = — ^" = £ + 
The divisor of F" has the form (F") = D" + D'" - 6Poo for some effective 
K-rational divisor D'", and it follows that = [£>'" - 3Poo]. We thus seek the 
polynomials 

F'" = x 2 + a"'y + b"'x + c'" e W%,„ 
G'" = xy + d"'y + e"'x + /"' £ W 7 D ,„ 

that represent D'" and hence We easily observe that F" = F'", since 

W%„, = W%„ = W% tl+Dtll = K ■ F". Hence a'" = a", so we trivially know the 
inverse (a'") -1 . 

It remains to find G'" . Analogously to ((4]) and to Lemma 12.41 we have 
F"W S = Wtf, +D ,„, and so 

W 7 D „, - F"W S + {F" \G"} 

= {£eW 7 \ G"i G F"W 8 } (5) 
= {£ e W 7 I G"l e P'W 8 + T^ 6 }. 

We thus have G"G"' + F"H = for some H G M^ 8 . We can in principle carry 
out an analogous computation to Step 2, but this case is small enough that it is 
worth our while to carry out the calculation directly and to hand-optimise it to 
find G'". We also find an explicit expression for H, which is useful in a different 
context that we encounter in Section [5l 



3 Preliminary to both point addition and dou- 
bling 

Consider the input F — x 2 + ay + bx + c and G = xy + dy + ex + f G W 7 D 
representing a divisor D of degree 3. We know that (F, G) = 7ZF + 1ZG is the 
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ideal of regular functions on C — {-Poo} vanishing at D. Our goal is to be able 
to compute in the algebra of "values" of polynomials at D, given by 

A = K/(F,G). 

Since degD = 3, we have dimu .4 = 3. Given u £ 1Z, the element u £ A denotes 
the reduction of u modulo (F, G) . 

Lemma 3.1 A K-basis for A is {l,x,y}. Furthermore, 

x 2 = —ay — bx — cl (6) 

xy = -dy -ex- fl (7) 
V 2 = -gy -hx-il (8) 
where a, b, c, d, e and f are the coefficients of F and G and 

g = a^ 1 (c + d(d - b)) + e 

h = o -1 (ed-/) (9) 
i = o -1 (ec + f(d-b)). 

Proof: 

Equations © and reflect the fact that F, G e (F, G). Equations §HH]) come 
from expanding (y + e)F -(x + b- d)G £ (F, G). Equations flS [8]) show that 
every element u £ A can be written as a K-linear combination of 1,3; and y. 
Since A is three dimensional, we obtain that 1, x and y are linearly independent. 

□ 

Given u G 1Z, we represent its reduction u = al + f3x + jy £ A by the column 
vector 

B u = ( (3 \ e K 3 . 

We then have 

Proposition 3.2 Assume given F and G, as well as the inverse a" 1 . 

1. For B u defined as above, we have 

F>xu — F X B U: By U — TyB U , 

where T x and T y are the matrices of multiplication by x and y on A, with 
respect to the ordered basis {l,x,y}: 
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2. We have the entries of T x for free (i.e., at a cost ofOM); multiplying T x 
by a vector B u costs 6M . 

3. We can compute the entries ofT y using 7M. Once we know T y , multiply- 
ing T y ■ B u to get B yu also costs 6M . 

4- If we do not already know T y , we can obtain B yu directly at a cost ofllM. 
Proof: 

The proof of parts 1-3 is immediate by inspecting ([SHS]) above. As for part 4, 
we need to compute the reduction modulo (F, G) oiv = ay-\- /3xy + jy 2 in order 
to obtain B yu . Now v is congruent to w = v — r ya~ 1 (yF — xG), so we have 

w = 7a -1 / x+ (a — 7<j~ 1 c)j/+7a~ 1 ex 2 + [(3 — 7a -1 (b — d)]xy — Sx+ey + (x 2 +r/xy 

where S, e, Cj V can be calculated using 5M (first find 7a" 1 ). Then the reduction 
modulo (F, G) of v is w — £F — r/G, whence 




costing an additional 6M. □ 



4 First stage of addition of two distinct divi- 
sor classes: setting up a system of equations 
whose solution will determine W^L D i 

Our input is now the descriptions of two typical degree 3 divisors D, D' , given by 
F = x 2 +ay + bx + c,G = xy + dy + ex + f G W 7 D and F' = x 2 + a'y + b'x + c',G' = 
xy + d'y + e'x + f G W D , % along with the inverses a -1 and (a') -1 . Our goal in 
this section is to determine a 3 x 5 matrix M whose five columns are respectively 
Bpi, B x p>, Bypi, Be, B X G', in the notation of Section [3l The kernel of M will 
then correspond to Wj^, D , as follows: if v = (c\, C2, C3, C4, cs) T is a (column) 
vector in K 5 , then we identify it with the linear combination 

L = ( Cl + c 2 x + c 3 y)F' + (c 4 + c 5 x)G' G (F\ (?) n W w = W$. 

Then Mv = if and only if L = in A, which is equivalent to 

L€(F,G)nWh°,=Wh° +D ,, 

where the last equality follows from the fact that D and D' are disjoint. 

Proposition 4.1 Given F,G, F' ,G' , a -1 as above, we can compute the matrix 
M at a cost of TIM . 
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Proof: 

The first column Bpi of M comes from 



pi = pi —p m od (F, G) 

= (a' - a)y + (b' - b)x + (c' - c). 

Hence we get the following result for free (i.e., OM): 




We similarly obtain the fourth column Be of M for free: 

/ f'-f\ 
B G ,= \ e'-e . 
\d'-d J 

We now compute the second and fifth columns B x p> and B x q> by noting the 
block matrix equation involving the matrix T x of Proposition 13. 21 

(B xF , | B xG ,)=T x (B F , | Be) ■ 

Since the first column of T x is (0,1, 0) T , its interaction with the first row of 
(Bp/ | Be) can be computed without any multiplication in K. Wc must then 
multiply the 3x2 submatrix consisting of the second and third columns of T x 
with the 2x2 submatrix consisting of the second and third rows of (Bp> \ Be)- 
This can be done using 11M using a Strassen's type multiplication on a 2 x 2 
sub-block, which saves one multiplication over the "naive" method. Finally, we 
use part 4 of Proposition 13.21 to compute the third column B y pi from Bp/ at a 
further cost of 11M. This concludes the proof. □ 



5 First stage of doubling a divisor class: setting 
up a system of equations whose solution will 
determine 

In this section, we take D' = D, so our input consists of the two polynomials 
F = x 2 + ay + bx + c,G = xy + dy + ex + f e Wj) , where I? is a degree 
3 divisor. Analogously to Section [4J we will construct a 3 x 5 matrix, which 
we also label as M, whose columns represent the "reductions modulo (F, G)" 
of the differential forms dF,d(xF),d(yF),dG,d(xG). These differential forms 
are regular on C — {Poo}, so we really want the columns of M to represent 
the "values" of dF, . . . , d(xG) at the points of D, much in the same way that 
elements of the algebra A describe values at D. 
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As in Section^ a column vector v — (01,02,03,04, cs) T £ K 5 represents 

L = (ci + c 2 x + c 3 y)F + (c 4 + c 5 x)G e (F, G) n W 10 = 

This time, Mv = if and only if the differential form dL = c\ dF + c-i d(xF) + 
c 3 d(yF) + c 4 dG + c 5 d(xG) vanishes at D. Since generically the points of D are 
distinct, this means that such an L vanishes to second order at the points of D, so 
we obtain that Mv — if and only if L S Since, e.g., d(xF) = x dF+Fdx, 

and F vanishes at D, we see that the value of d{xF) at D is the same as that of 
x dF, and so forth. Thus the columns of our matrix M can be taken to represent 
suitable "reductions modulo (F, G}" 

dF, xdF, ydF, dG, xdG 

which we need to explain. We write dTZ for the 7?.-module of differential forms 
on C — {Poo}', then dTZ is generated by dx and dy, with the sole relation df = 
for f{x, y) the equation of the curve in (fTJ). 

Lemma 5.1 The IZ-module dTZ is free of rank 1, and is generated by a differ- 
ential form u)q such that 

dx = fyUj Q , dy = -f x LO , (10) 
where f y = df /dy and f x = df /dx. 
Proof: 

The relation df = means that 

f x dx + f v dy = 0. (11) 

Since C is nonsingular, f,f x , and f y have no common zeros in the algebraic 
closure K. We can therefore write 

1 = nfx + r 2 f y for some r x ,r 2 € TZ, (12) 

and we define 

luq — r^dx — r\ dy 6 dTZ. 

Some algebra with ifTTl [T2"|) then implies equation (JTDJ) . In particular, dx,dy € 
TZluq so that u>o generates dTZ as an 7t!.-module. To see that the annihilator of u>q 
is 0, one can argue directly from (jTTJ) , (fT2")l and the definition of ojq, or one can 
use the fact that dTZ is a rank one projective module over the Dedekind domain 
TZ, and hence free, as it has a global generator ujo. □ 

At this stage, we can state precisely what we mean by the reduction modulo 
(F, G) of the differential forms dF, . . . , x dG. 

Corollary 5.2 Define the reduction of an element of dTZ to be its image in 
A' = dTZ/ (F,G)dTZ. Then A' is a free A-module of rank 1, generated by the 
reduction ZJq. 
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We can in fact choose any generator ZJ of A' , not just lUq. Then an element of 
A' has the form fuJ for some r £ 1Z, where the reduction r £ A is well-defined. 
We then represent a reduction no by the vector B r £ K 3 . Our choice of ZU below 
was inspired by a careful reading of the formulae for doubling in |7| . This saves 
us several multiplications over using the generator ZJq. 

Lemma 5.3 For a typical divisor D: 

1. The reduction dF generates the A-module A' . 

2. There exist G x £ W 7 , H x £ W 8 such that FH 1 + GG t = 0, and G~ is a 
unit in the ring A. 

3. There exists a generator ZJ £ A' such that 

dF = G~u, dG = -H~lJ. (13) 

Proof: 

The first assertion holds because F typically vanishes to order exactly one at 
each point of D, so dF is nonzero at the points of D. The second assertion comes 
from our results in Subsection 12.31 and Section [TU] (replace {F" ,G" ,G"' , H} 
there by {F, G, G\, Hi}; no circular reasoning is involved). The divisor of F 
is (F) = D + D% — QPoo for a "complementary" divisor D\ of D, which is 
typically disjoint from D. (In the original setting of Section [TUl D'" was the 
complementary divisor of D"). Moreover, the only points where F and G\ 
simultaneously vanish are typically those of £>i, since {F, Gi} are an IGS for 
D\ (indeed, they are a basis for Wj )i ) . Thus G\ does not vanish at any point of 
D, so Gi is invertible in A as claimed. For the third assertion, the first part of 
equation (fT3|) serves to define a generator ZJ in light of parts 1 and 2 above; the 
second part of (|13p follows upon expanding the equation d(FH\ + GG%) = 0, 
reducing modulo (F, G) , and cancelling G\ . □ 

The upshot of the above discussion is that we can represent an element A' , of 
the form WD with a unique u £ A, by the column vector B u £ K 3 . In particular, 
we represent dF — G\u> by Bgj, and dG = —Hiu> by B-Hi- Hence, we can 
take the columns of our matrix M to be 

Bgi j B xGl , B y G 1 , B-H x , B-tHj • 

Proposition 5.4 Given F, G, a -1 , the entries of the matrix M can be computed 
at a cost of 34Af . 

Proof: 

We first compute G\ and H at a cost of 10M, by part 2 of Proposition 110.11 
(recall that we replace {F", G" , G'", H} there by {F, G, Gi,H x }). For later use, 
we also compute the matrix T y as in part 3 of Proposition ^. 21 This costs us only 
a further 5M, since we have already computed the expression a -1 (c + d{d — b)) 
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as part of computing G\, Hi (when we computed (a") _1 ^ in the context of the 
proof of Proposition 110. ip . As a result, we now have g, h, and i. 

Our next step is to reduce G\ and Hi modulo (F, G) , so as to obtain Bq x and 
; the extra negation to get B^h x costs nothing. We reduce G\ = Gi — G 
at no multiplicative cost, and since Gi — G G K-l+K-x + K- y from our 
formulae for Gi and G, we obtain Bq 1 for free. As for Hi, we have Hi = 
—y 2 + ax 2 + (K- linear combination of 1, x, y); hence by |8]) 

Hi=Hi+y 2 +gy + hx + i-aFeK-l + K-x + K-y 

will be reduced. The only multiplication needed is to obtain aF, which costs 
2M to obtain a 2 , ac, since we already found ab as part of finding G\,H\. 

Finally, we multiply T x by the 3x2 matrix (£?Gi I -S-ffi) to obtain B x q x 
and B- x h 1 at a cost of 11M, as in the proof of Proposition 14. 11 we also obtain 
B y G x — TyBd at a cost of 6M, by part 3 of Proposition 13.21 □ 



6 Finding the kernel of M 

To find W}} +D i (respectively in the case of addition (respectively, dou- 

bling), we must now determine the kernel of our 3x5 matrix M from Section 
[4] (respectively, Section EJ. A vector 

/ ci 



V C5 

satisfying Mv = corresponds in both cases to 

L = ciF' + c 2 xF' + c 3 yF' + c A G' + c 5 xG' £ W^ +D , , 

since D = D' in the case of doubling. Our later calculations will be significantly 
simplified if we can find a basis {s, t} for Wp +D , of the following special "monic" 
form: 

s = x 3 + (K-linear combination of y 2 , xy, x 2 , y, x, 1) 

= 0x 2 y + 1.x 3 + . . . G Wl +D , 
t = x 2 y + (K-lincar combination of y 2 , xy, x 2 , y, x, 1) 

= lx 2 y + Ox 3 + . . . G W%> +D , . 

To do this, we actually find the kernel of a modification M' of M: if M has 
columns 



Ki 



/v. 



Ka 



then M' has columns 



Ki 



Ko - Kk 



K 2 



K r , 
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Note that M 1 can be calculated from M without any field multiplications. In 
the case of addition, the columns of M' correspond to 



F' 



G' 



yF' - xG' 



xF' 



cG' 



and a vector (c[, . . . , c' 5 ) G ker M' corresponds to a combination 

c[F' + c' 2 G' + c' 3 (yF' - xG') + c' 4 (xF') + c' 5 (xG') e W™ +D ,- 

an analogous statement holds in the case of doubling. 

We shall see in Section [7] that the "monic" element s comes from a kernel 
vector with C5 = 0, c 4 = 1, while t comes from a kernel vector with C5 = 1, C4 = 0. 
We thus perform row reduction on M' so as to express the unknown cofficients 
c[, c 2 , c' 3 in terms of the "free variables" c' 4 and c' 5 . 

We write the entries of the modified matrix M' as: 

Ax B 1 Ci Di E x 
W = I A 2 B 2 Ci D 2 E 2 
A3 B 3 C3 D 3 E3 

with rows R t = {A % B, C t B l E t ), i = 1,2, 3. 

Proposition 6.1 A basis for the kernel of M' can be obtained using 39M, IF 
Proof: 

Apply row operations to the rows Rx, R 2 , R.3- This transforms M' into the 
following echelon form with the same kernel: 

Ax Bx Cx Dx Ex 
D ax o~ 2 03 
U (J4 0*5 

where the new rows are R[ = Rx,R' 2 = AxR 2 — A 2 Rx,R' 3 = Ai 2 i?3 — Ai 3 i? 2 + 
A23-R1. Here, the A^ 's are 2x2 minors coming from the first two columns of 
M' , as given by the formulae below. This requires us to compute the following 
quantities at a cost of 21M: 



D = Ai 2 


= AxB 2 - 


-A 2 Bx 




A13 


- AxB 3 - 


-A 3 Bx 




A23 


= A 2 B Z - 


-A 3 B 2 




Ox 


= AxC 2 - 


-A 2 Cx 




(To 


= AxD 2 - 


-A 2 Dx 




0-3 


= AxE 2 - 


-A 2 Ex 




U 


= A 12 C3 


- a 13 c 2 ^ 


- A23C1 


0-4 


= A 12 ^ 3 


- A 13 D 2 - 


f A 23 Dx 


0-5 


= A12-E3 


— Ai 3 i?2 - 


- A 23 Ex- 
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To perform back substitution, we need to obtain 

Al x ,D~ l , andZJ" 1 . (14) 

For this, we perform 

Qi=AiD, Q 2 = QiU, Q 3 = Q 2 ~\ 

U- 1 = QiQz, Q± = UQ 3 , D- X =A X Q^ A^ 1 = DQ 4 , 

so the inverses in (IT4")) above can all be produced using 6M, II. Back substitution 
performed on the matrix in ^ now costs a further 6M + 6 M — 12M to find the 
two basis elements (a, ft, 7, 1, 0) T and (S, e, £, 0, 1) T of the kernel, corresponding 
to s and t. (Solve for 7, /3, a, C, e, 8 in that order). □ 



7 Finding s and £ 

At this point, we have obtained a basis {v[, v' 2 } for the kernel of M' of the form 

( a \ 

P 
7 
1 

V ) 

corresponding to s, and 

/ « \ 

e 

c 



V 1 / 

corresponding to t. The desired elements s and i are 

s = aF' + PC + j(yF' - xG') + xF' 
t = SF' + eG' + ((yF' -xG')+xG'. 

(This includes the case of doubling, for which F' = F and G' = G.) We now 
have the following: 

Proposition 7.1 Given v[ and v' 2 as above, s and t can be obtained at a cost 
0/I8M. 

Proof: 

To calculate s and t using as few multiplications as possible, we illustrate the 
following steps for s (those for t follow similarly). We have 

s = {a + jy)F' + {f3- jx)G' + xF', 
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where 

F' = x 2 + a'y + b'x + c' 
G' = xy + d'y + e'x + /'. 

We now wish to expand s as a linear combination of the monomials x 3 , y 2 , xy, 
x 2 , y, x, and 1. Write 



s = (a + r yy)x 2 + (/3 — jx)xy + xF' (I) 
+(a + jy)(a'y + b'x + c) + (0 - jx)(d'y + e'x + /')• (II) 

The terms in (I) do not involve any multiplication in K (note that the leading 
coefficient x 3 comes from xF'). The terms in (II) can be written as 

(a + jy)b'x +{(3~ -fx)d'y (III) 
+(q + jy)(a'y + c) + (/? - jx)(e'x + /'), (IV) 



where (III) requires 3M to form 7(6' — d')xy + ab'x + (3d'y and (IV) requires 
6M in total, using Karatsuba's method for each of the two terms. The total 
cost is thus 9M to find s. 

Finding t also requires 9M; the only essential difference is that xF' becomes 
xG' in the analogue of (I). 

The total cost to find s and t is thus 18M. Note from the computation that 
s and t are both monic in the sense that their "leading" coefficient is 1, and 
that moreover the coefficient of x 3 in t is zero. □ 



8 Calculating xt, yt, xH, xyt and xs, ys, x 2 s, xys, y 2 s 

We have now computed s,t £ Wp +D ,. We let si, . . . , S6>£i7 ■ ■ ■ ,t& be the coef- 
ficients of s and t, as in equation © above. As we saw in Subsection 12.21 we 
now wish to find F" , G" € Wp,, via 

KF" + KG" = {£ G W 7 \it g sW s + W 9 }. 

Thus, £ is a K-linear combination of the basis {t, xt, yt, x 2 t, xyt} for tW 7 that 
is congruent to a K-linear combination of the basis {s, xs, ys, x 2 s, xys, y 2 s] for 
sW s in the quotient space W 17 /W 9 . We express these multiples of s and t in 
terms of the following ordered basis for W 17 : 

{1, x, y, x 2 , xy, y 2 , x 3 ,x 2 y, xy 2 , y 3 , x 3 y, x 2 y 2 ,xy 3 ,y 4 , x 3 y 2 }. (15) 

To work in W 17 /W 9 , we need only the coefficients of the last eight monomials: 

{x 2 y, xy 2 ,y 3 ,x 3 y, x 2 y 2 ,xy 3 , y\ x 3 y 2 } (16) 

Lemma 8.1 Given s and t as above, producing the relevant coefficients of xt, 
yt, x 2 t, xyt, xs, ys, x 2 s, xys, and y 2 s requires 2M . 
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Proof: 

Our choice of basis for W 17 means that we use the equation of the curve ([I]) to 
eliminate all monomials x 1 y 3 with i > 4. Carrying this out for the multiples of 
s and t above, we obtain the matrix 



te 










t 3 qo 





se 


qo 





S3<7o 





\ 




to 







hqi 







S6 + qx 





qo + s 3 qx 








h 





te 


(to 


+ t 3 Po 





Si 


Po 


•Sfi 


s 3 Po 


qo 





h 


h 





te 


+ t 3 q2 





s 3 


S5 + <?2 





s& + qi+ s 3 q 2 










h 


t 5 


<h 


+ hPi 


t e 




S4+P1 


S5 


Po + s 3 px 


se + qx 





h 





k 




Po 





sx 





s 4 





Po 


se 





*3 







h 





1 


S3 





■S5 + q2 








1 


*2 


t 3 


U + 


q2 + t 3 p 2 







S2 + P2 


«3 


S 4 + px + S 3 p 2 


S5 + 92 








*1 


h 




Pi 


t 4 





sx 







S4 + Pi 


S5 








t x 




h 








1 


sx 


S3 





s 4 





1 







t 2 


t 3 








1 


S2 + P2 


S3 











1 


t 


1 +P2 


h 











sx 


S 2 + P2 


S3 
















t x 











1 


sx 


S2 













1 

















1 


Si 
















1 

















1 / 



whose columns represent in that order t, xt, yt, x 2 t, xyt, s, xs, ys, x 2 s, xys, 
and y 2 s with respect to our full basis for W 17 given in (fT5)) above. However, 
since we only need the last eight rows of N to indicate the values in W 17 /W 9 , 
we only need to work with the matrix 



N' = 



( 1 


t 2 


t 3 


U + q 2 + t 3 p2 


h 





S2 + P2 


S3 


S4 + Pi + S 3 p2 


S5 


+ (?2 


\ 





tx 


h 


Px 


U 





sx 


S2 





s 4 


+ Pl 


S5 








tx 


t 3 








1 


Si 


S3 







S4 





1 





t 2 


t 3 








1 


S2 +P2 




S3 











1 


tx +P2 


h 











Si 


S2 


+ P2 


S3 














tx 











1 




Si 


S2 











1 



















1 


Si 


V 











1 



















1 / 



This shows that we only need to compute the multiples £3 -pi and S3 -p2, thereby 
proving our result. □ 



9 Finding F", G" that span the subspace W D „ 

We refer to the columns of N 1 above as 

N' = (Cx\C 2 \C 3 \ ... \Cxx). 

We now need to find a linear combination of the first five columns Cx , ■ ■ ■ , C5 of 
N', corresponding to a basis for the image of tW 7 in W 17 /W 9 , which belongs to 
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the span of the last six columns Cq, . . . , C\\ of N', corresponding to the image 
of sW 8 in W 17 /W 9 . Let V denote the 5-dimensional subspace of K 8 spanned 
by the columns C§, . . . , Cn (of course the zero column Cq is irrelevant), and let 
T denote the set of columns {C\, . . . , C5}: we thus want to find combinations 
of columns of T that map to zero in the 3-dimensional quotient K 8 /V . This 
quotient can be identified with the subspace V C K 8 given by 

= {(«,/?, 0,0, 7, 0,0,0) T |a,/3, 7 eK}, 

since V and V' are complementary subspaces. Our first goal is then to reduce 
the columns of T modulo V, so as to obtain elements Ci, . . . , C5 € V with 

/ OL% \ 

ft 




7i 



V J 

After that, we will need to determine the kernel of the 3x5 matrix 

a.i a.2 (X3 0:4 0:5 
M" = \ Pi P2 Pa P 5 

71 72 73 74 75 



a = d mod V = 



1,...,5. 



to obtain F" and G" . 

Lemma 9.1 Given the matrix N' , the columns ofT can be reduced modulo V 
to produce the columns of the matrix M" , at a total cost of 19M. 

Proof: 

As a preliminary calculation, we find elements Dg, Z?io, and Dn of V, corre- 
sponding respectively to ys — sixs = (y — s\x)s, x(y — S\x)s, and y(y — s\x)s. 
This will aid us in reducing columns of T modulo V. We have: 



«3 



D 8 = C 8 - Sl C 7 = 



si(s 2 +P2) \ 



s 2 
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D 



10 



C 



10 



SlCg 



-Dii — Cn — siCio — 



/ S5 + 92 - si (s 4 + pi + s 3 p 2 ) \ 
S4 + Pi 
-S1S3 
«3 - si(s 2 + p 2 ) 

S2 + P2 - sf 


1 




/ -si(s 5 +(j 2 ) \ 
s 5 - s 1 (s 4 +p 1 ) 
s 4 

-S1S3 
S3 - si(.s 2 + p 2 ) 



V 



s 2 - sf 

1 



/ 



Calculating Z? 8 , Z?i and _Dn costs 6M, as we already know s 3 p 2 from AT', so 
it suffices to calculate 

si(s 2 +p 2 ), si, si(s 4 + Pi +S3P2), -S1S3, -si(s 5 +q 2 ), -s 1 (s 4 +p 1 ). 

It is clear that V is spanned by {C7, D 8 , Cg, D w , flu}. We now compute the 
reduction of columns of T modulo V. 
First, note that 

C[ = d e V" 
which comes at no cost, so we obtain 






Second, 

ft = C 2 -fl 8 ey' 

which also comes at no cost, so that 



t2 - s 3 + si(s 2 +p 2 ) 
h - s 2 + si 




Third, we have 

Z% = C 3 - hC 7 e V, 
costing 2M to calculate t\C-j, and hence 

h - ti(s 2 +P2) 
h - tiSi 
1 
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Fourth and fifth, note that 



Ca-D 



10 



C 5 - Dii = 



/ mi \ 

m 3 

7TT.4 

m 5 



V o / 
/ \ 

Z2 
Z3 
Z 4 
Z5 
Z% 



V o J 



with m, £ 



1,...,5, 



with G 



2=1, 



,6, 



so that 



C5 — Z?n — Z e Cg 



with L £ K, 



£3 

£5 



V / 

Hence our desired reductions are 

C4 = Ci — Diq — nriADfi — m^Ci 
C5 = C5 — Z?n — z 6 Cg — £aD$ — 



,6. 



3C7, 



which ensures that C4 and C5 belong to V. We require 4M to find Z6C9, 
which allows us to calculate the vectors C4 — D w and C5 — £>n — zeCg- The 
expressions 7714 Z?8 + m 3 C7 and £ 4 D%-\- £ 3 Ci can now be obtained simultaneously 
as the matrix product 



( C 7 I D 8 



m 3 
ni4 



«3 
^4 



The entries of C7 and Z?8 are mostly zeros and ones, and the only part of the 
above matrix product that involves nontrivial multiplications in K is the top 
2x2 submatrix multiplication 



S2+P2 s 3 -s 1 (s 2 +p 2 ) 

Si 



s 2 - s\ 



m 3 
m 4 



£3 
£4 



(17) 
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This costs 7M using Strassen's technique. At this point we need no further 
multiplications to produce C4 and C5. 

Adding up the costs to produce all of C\ , . . . , C5 concludes the proof. □ 



Lemma 9.2 Given s and t, the columns of T can be obtained and reduced 
modulo V, thereby obtaining the matrix M" , at a total cost of 20M . (I.e., we 
can save one multiplication compared to using Lemmas \8.1\ and \9.1\ .) 

Proof: 

We claim that the two multiplications t 3 p2 from Lemma [8.1l and si(s4+pi+S3P2) 
from Lemma 19.11 can be replaced with a single multiplication. To see this, 
observe that these two multiplications are used only when we calculate the first 
coefficient mi in the column vector C4 — D10 = (mi, m2, m 3 , 7714, mg, 0, 0, 0) T . 
Now rearrange 

mi = U + q 2 + t 3 p 2 - SB - <72 + 81(84, +Pi+ s 3 p 2 ) 
= U- s 5 + si(s 4 +pi) + (t 3 + sis 3 )p 2 . 

Since we have already computed S\(s4 +pi) and S1S3 during Lemma [9~T1 we see 
that we can replace the two multiplications t 3 p2 and Si(s4 + pi + S3P2) by the 
single multiplication (t 3 + sis 3 )p2- This concludes our proof. □ 

The following proposition now allows us to find the desired polynomials 

F" = x 2 + a"y + b"x + c" 
G" = xy + d"y + e"x + f". 

Proposition 9.3 Given s and t, the polynomials F" and G" , as well as the 
inverse (a") -1 , can be obtained using 31M, 1/. 

Proof: 

Recall that the columns of M" represent the reductions of each of t, xt, yt, 
x 2 t and xyt modulo the multiples of s via the "reduction modulo V" described 
above. Hence, by Lemma 19721 the matrix M" can be obtained using 20M, and 
has the form 

(1 a 2 a 3 0L4 a 5 \ 
P2 Ps Pi Ps ■ 
1 74 75 / 

In anticipation of our next step, we compute 7^ and Z?^ 1 using 3Af, 1/ (i.e., 
find P2 • 74, invert it, and multiply the inverse separately with each of Pi and 
74). We now can find two vectors 

< = (c",fe",a",l,0) T 
v'i = (f",e",d",0,lf 
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that span the kernel of M" using back substitution, requiring a further 8M. 
Those give us the coefficients of the polynomials F" and G" . Note that a" — 
—74, and so we know its inverse thanks to our previous anticipatory step. □ 



10 Negating the final result, and an application 
to Section [5] 

As mentioned in Subsection l2.3[ our final result representing = — £" = £ + 
will be a pair {F'", G'"}, with F'" = F" and G'" = xy + d"'y + e"'x+f"' G W 7 D ,„ 
that satisfies G"G"' + F"H = for some H G W 8 . We can then in principle 
find G'" by a procedure analogous to that in Sections [5] and [5J by working 
modulo W 6 , which is analogous to how we previously dropped some rows from 
the matrix N to get N'. If we furthermore need to find H, as is the case in 
Proposition [2131 we can do something similar by dropping one fewer row at the 
start, i.e., by working modulo W 4 (we invite the reader to check that this extra 
"precision" is required exactly to obtain the constant term of H). 

We however preferred to find the following solution by a direct calculation: 

G'" = xy + {b" - d")y - OVT 1 + m)x 

+[md" + (tia")- 1 + e")(d" - b") + a"(a"b"- Pl ) - /"] 
H = -y 2 + a"x 2 +l{a")- 1 y-a"b"x ^> 
+ [(e(a'T 1 + m)e" + a"(b" 2 - c" - «&)], 

where 

m = e" + a"{a"+p 2 ) 
I = c" + [d" - b")d" . 

This can be verified without setting up a system of linear equations: instead, 
note that our expressions for G'", H satisfy G"G"' + F"H 6l-i + K-j + K-l = 
W A (taking into account equation |T]) of our curve). However, any combination 
of F" and G" vanishes at D", so G"G"' +F"H G W%„ = 0, since D" is typical. 
Thus our result is: 

Proposition 10.1 Given F", G" and (a") _1 , let F' ", G'" represent the negative 
in the Jacobian; then F'" = F" , and we obtain (a") -1 = (a'") -1 for free. 

1. It costs 7M to compute G'" as given by the above formulae. 

2. It costs 10M to compute both G'" and H, satisfying G"G"' + F"H = 0. 
Proof: 

First compute m and t, then compute €(a") _1 and a"b", and then compute the 
remaining coefficients of G'" (and of H, if needed) using the above expressions. 

□ 
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11 Conclusion 



We now assemble all the parts to obtain the main result of our paper: 

Theorem 11.1 In the Jacobian of a 63,4 curve defined over a large finite field 
K, point addition can be performed on typical elements using 117 field multi- 
plications and 2 field inversions. Point doubling can be performed on typical 
elements using 129 field multiplications and 2 field inversions. 

Proof: 

For point addition, add up the costs of Propositions 14.11 16. 1[ IT. 11 19.31 and part 
1 of Proposition llO.il For point doubling, add up the costs of Propositions 15.41 
O E02 and part 1 of Proposition [1031 □ 

In terms of the number of multiplications required, our results represent 
improvements of 19.3% for addition and 22.8% for doubling (compared to [7]), 
and of 22% for addition and 25.8% for doubling (compared to [5]). All the 
algorithms require two inversions in K per group operation in the Jacobian. 
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